RFC 2350

1. Document Information

This document contains a description of CERT.br according to RFC 2350.

1.1 Date of Last Update

January 09, 2025

1.2 Distribution List for Notifications

There is no distribution list for notifications of new versions of this document.

1.3 Locations Where This Document May Be Found

The current version of this document can be found at https://cert.br/about/rfc2350/

For validation purposes, a GPG signed ASCII version of this document is located at https://cert.br/about/rfc2350/rfc2350-certbr.txt

The key used for signing is the CERT.br key as listed under 2.8.

2. Contact Information

2.1 Name of the Team

Name in English:
CERT.br - Computer Emergency Response Team Brazil

Name in Portuguese:
CERT.br - Centro de Estudos, Resposta e Tratamento de Incidentes de Segurança no Brasil

2.2 Address

CERT.br/NIC.br
Av. das Nações Unidas, 11541, Cj 71/72
04578-000 - São Paulo, SP - Brazil

2.3 Time zone

CERT.br is located in São Paulo, Brazil, UTC-0300. Brazil no longer observes daylight saving time.

2.4 Telephone number

Not applicable. CERT.br does not accept incident reports via telephone.

2.5 Facsimile number

Not applicable.

2.6 Other telecommunication

iNOC-DBA: 22548*800

2.7 Electronic mail address

Incident reports should be sent to <cert@cert.br>.

2.8 Public keys and encryption information

CERT.br PGP Key has annual validity and the year's key is generated in January. The Key information can be found at:
https://cert.br/contact/

CERT.br PGP Key can be found at:
https://cert.br/pgp/CERTbr.asc

2.9 Team members

No public information is provided about CERT.br members.

2.10 Other information

For additional information about how to contact CERT.br, see:
https://cert.br/contact/

CERT.br is a FIRST member, details at:
https://www.first.org/members/teams/cert-br

CERT.br is a TF-CSIRT member, Accredited by Trusted Introducer, details at:
https://www.trusted-introducer.org/directory/teams/certbr.html

2.11 Points of customer contact

To contact CERT.br regarding security incidents related to Brazilian networks send an email to <cert@cert.br>.

CERT.br operates from Monday through Friday, from 09:00h to 18:00h, UTC-0300.

3. Charter

3.1 Mission statement

To increase the level of security and incident handling capacity of the networks connected to the Internet in Brazil.

3.2 Constituency

CERT.br provides incident analysis and coordination for any network that uses Internet Resources allocated by NIC.br, namely IP addresses or Autonomous Systems allocated to Brazil, and domains under the ccTLD .br.

CERT.br will always try to coordinated with more specific Brazilian CSIRTs and Security Teams. If none is available, it will do its best to locate the Autonomous System Responsible party.

Educational material is provided for the general public at these addresses:
https://cartilha.cert.br/
https://internetsegura.br/

3.3 Sponsorship and/or affiliation

CERT.br is a NIC.br service to Brazil, it was created in 1997, by initiative of the Brazilian Internet Steering Committee (CGI.br). CGI.br is a multi-stakeholder organization, coordinated by the Government, that coordinates all Internet related activities in Brazil. Funding is solely provided by NIC.br (https://nic.br/).

The activities performed by CERT.br are in accordance to the CGI.br attributions, as defined in the Presidential Decree 4829[1], from 2003:

• I - to establish strategic directives related to the use and development of the Internet in Brazil;
• IV - to promote studies and recommend procedures, rules and technical and operational standards for the security of the network and services in the Internet, as well as for its growth and adequate use by the society;
• VI - to be represented at national and international forums related to the Internet;

These activities are also in accordance to the NIC.br objectives, according to is Statute[2]:

• IV - to address the security and emergency requisites of the Brazilian Internet, in articulation and cooperation with other entities;
• VII - to promote and collaborate in the organization of courses, symposiums, seminars, conferences and congresses, with the objective of contributing for the development and improvement of teaching opportunities in its areas of expertise.

References (in Portuguese):
1. https://cgi.br/pagina/decretos/108
2. https://nic.br/estatuto-nic-br/

3.4 Authority

CERT.br has no authority over its constituency, all activities are based on collaborative relationships with other entities.

4. Policies

4.1 Types of incidents and level of support

CERT.br is a National CSIRT of Last Resort and provides a focal point for incident notification in the country, providing the coordination and necessary support for organizations involved in incidents, including:

• Support in the analysis of compromised systems and in their recovery process;
• Establish collaborative relationships with other entities, such as other CSIRTs, universities, Internet service and access providers and telecommunication companies;
• Maintain public statistics of incidents handled and spam complaints received.

CERT.br is also committed to keeping its constituency informed of new trends and threats. In this respect CERT.br maintains both a national and an international network of sensors, that provide data used to increase the capacity of incident detection, event correlation and trend analysis in the country.

4.2 Co-operation, interaction and disclosure of information

CERT.br treats all information as confidential by default, but will use the information shared to help solve security incidents. Information might be distributed forward to other teams/organizations on a need-to-know basis. Information will be anonymised whenever it is feasible.

CERT.br adheres to the Information Sharing Traffic Light Protocol according to the FIRST Standard Definitions and Usage Guidance: https://www.first.org/tlp/. Information that is labelled with the tags WHITE, GREEN, AMBER, or RED will be handled appropriately.

4.3 Communication and authentication

For normal communication not containing sensitive information CERT.br uses conventional methods like unencrypted e-mail. Please refer to sections 2.7 and 2.8. For sensitive information, the use of PGP encryption is strongly encouraged. If it is necessary to authenticate a person before communicating, this can be done either through existing communities (e.g. FIRST, TI) or by other methods like call-back, mail-back or even face-to-face meeting if necessary.

5. Services

5.1 Incident response

CERT.br will provide assistance to other teams in handling the technical and organizational aspects of incidents.

5.1.1. Incident triage

CERT.br will help to validate the incident, as well as to assess it and prioritise it.

5.1.2. Incident coordination

CERT.br encourages all teams to directly contact the most specific CSIRT or security team as possible, and to maintain CERT.br in the copy of the communication.

CERT.br will then:

• Determine if all involved organizations where contacted and if any additional contact needs to be made;
• Facilitate contact to other parties which can help resolve the incident;
• If any help is needed, it will contact the involved organizations to help them to take the appropriate steps.

The most valuable service we can provide is to act as an information hub, which knows where to send the right incident reports to in order to help and facilitate the resolution of security incidents.

Due to staffing levels we can not guarantee we can reply to all incident reports received. If the report was already sent to the best possible contacts, CERT.br will record the incident for statistical purposes, but it might not send any reply. If you haven't received any feedback to a report and need any action by CERT.br staff, please contact us again, clearly stating the type of help needed.

Auto-generated reports and data-feeds will be handled as automatically as possible.

5.1.3. Incident resolution

As CERT.br is a coordinating team, this means we do not have any authority to enforce the request of takedowns, shutdowns or any other specific action. To the best of our ability we will:

• Advise local security teams and system administrator on appropriate actions;
• Identify any new type of incident that could require the dissemination of best practices for prevention of future incidents;
• Collect and publicly disclose statistics on incidents and trends, as way to create situational awareness in our constituency.

5.2 Proactive activities

CERT.br has several activities which aim to help our constituency to prevent as well as better handle computer security incidents:

• Raise security awareness in its constituency;
• Provide formal training in incident management;
• Observe current trends in technology;
• Aggregate, validate and redistribute data-feeds;
• Transfer relevant knowledge to the constituency, through best practices documents, presentations and training;
• Provide fora for community building and information exchange within the constituency;
• Collect contact information of local security teams.

6. Incident reporting forms

There are no forms available. Please refer to section 2.7.

7. Disclaimers

While every precaution is taken in the preparation of information and notifications, CERT.br assumes no responsibility for errors or omissions, or for damages resulting from the use of the information provided.